Date post: | 15-Jan-2017 |
Category: |
Technology |
Upload: | cheryl-biswas |
View: | 21 times |
Download: | 0 times |
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 1
How To Rob A Bank
The SWIFT and easy way to grow your online savings
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 2
Cheryl Biswas @3ncr1pt3d Toronto, Canada Threat Intel Analyst at KPMG Canada Into: Stuxnet, Mainframes, ICS SCADA,
Startrek LinkedIn Pulse, Talks, Blogs, TiaraCon
DISCLAIMER The views expressed here are solely my own and do NOT reflect those of my employer.
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 3
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 4
A Tale
of
Two Servers
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 5
Once Upon a Time There was a bank
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 6
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 7
It needed … Magic!
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 8
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 9
What Is SWIFT• The Society for Worldwide Interbank Financial Telecommunications
(if that doesn’t sound like something from a James Bond movie …)• A secured and trusted exchange for financial messages• Banks use it to send back end payment instructions to each other• Brussels-based banking consortium• Does NOT hold funds or manage accounts for customers
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 10
SWIFT Transactions for Dummies• Each financial org gets a unique code of 8 or 11 characters. This is
the BIC or Bank Identifier code or SWIFT ID or ISO 9363 code• The first 4 characters are the institute; next 2 are Country; next 2
or location/city; last 3 are branch codes and optional. Eg DEUTDEFF Deutche bank, Germany, Frankfurt
• You can send a message through a SWIFT member bank if you have the recipients corresponding SWIFT code and account id
• Other message services are Fedwire, CHIPS, Ripple but SWIFT is the biggest and best at doing this
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 11
SWIFT By NUMBERSCurrently:• 200 countries• 10,800 users • $9 trillion transferred daily• Started 40 years ago• 99.99 % availability (thank you mainframes)
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 12
“The global backbone of the financial industry”
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 13
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 14
A Zero-Risk Approach to Failure• Confidentiality• Efficiency• Reliability• Security• Resilient topology• Robust software designs
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 15
Just How Does This Add Up to Security?“Our record availability levels are
a direct result, and proof of, our security commitment”
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 16
“We relentlessly pursue operational excellence and continually seek ways
to lower costs, reduce risks, and eliminate operational inefficiencies”
What’s missing here?
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 17
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 18
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 19
Dangerous Assumptions• Air-gapped is absolute. It isn’t• Private networks ensure safety. They don’t• Special systems operating in their own secure enclaves, with their
own proprietary setups will remain impenetrable. They won’t• Inherent Protections. Are not.
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 20
No Virginia, there is no Inherent Security
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 21
TRUST ISSUESWhat do we know about TRUST people?
Complete the sentences1. Trust …
2. Trust …
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 22
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 23
Then one day
the Magic
stopped working
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 24
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 25
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 26
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 27
Banker’s Hours
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 28
Hello?
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 29
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 30
BAE SYSTEMS DIAGRAM
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 31
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 32
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 33
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 34
The Telltale Printer: "HP LaserJet 400 M401"
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 35
The Telltale Printer: "HP LaserJet 400 M401"SILENCED
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 36
And another question“Extensive integrity controls built into SWIFT apps to protect against unauthorized changes to messages and to detect corruption of messages”SWIFT website
So how exactly did that Oracle db thing get by you?
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 37
"It was the bank's systems or controls that were compromised, not the software. The SWIFT software behaved as it was intended to, but was not operated by the intended person or process. This is a bank problem, not a SWIFT problem.“William Murray, independent payments security consultant
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 38
Heist by NumbersCOUNTRY BANK AMOUNT DATE
Bangladesh Bangladesh Bank $81 Mil Feb 2016
Philippines Unnamed 2015
Ecuador Banco Del Austro $12 Mil June
Vietnam Tien Phong Bank Failed June
Ukraine Unnamed $10 Mil April
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 39
About that $10 switch …
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 40
The FED vs SWIFT
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 41
“SWIFT is … as flaky as ICS or SSL… you
can’t separate workstations from SWIFT
and remove them from the network.”
Risky Business Podcast
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 42
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 43
Now with MORE Security!
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 44
A SWIFT Response• The new Customer Security Programme
CSP• 5 Steps to better security: 5 strategic
initiatives• Daily Validation Reports. Out of band
access.• “customer systems or operational staff
that have been compromised and locally stored records that have been obfuscated”
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 45
SWIFT New Core Security Standards
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 46
“The Swift payment system is only as strong as the operational controls built and enforced around it … and a lack of strong policies and procedures for increased vulnerabilities.”Mark Williams, lecturer at Boston University
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 47
“The Vietnam case shows that the global banking system is vulnerable to cyber attacks, and we should make a global effort to prevent these attacks” Bangladesh Bank spokesman Subhankar Saha said Monday.
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 48
Who Dunnit?
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 49
It was the Lazarus Group,
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 50
It was the Lazarus Group, in North Korea,
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 51
It was the Lazarus Group, in North Korea, with a wrench
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 52
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 53
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 54
The Sony Hack
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 55
Meanwhile, back on the ranch …
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 56
“If we haven’t seen them in the US it’s because nobody’s bothered … Most Western Banks have not had to deal with these attacks”Brian Krebs on Risky Business podcast
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 57
“Banks are fighting a war on every conceivable front. It’s a losing battle. There’s no way to share enough information among enough people.”Anonymous source
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 58
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 59
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 60
Which brings us to … Odinaff• Discovered January 2016 attacking banks, securities, trading,
payroll globally• Mounted attacks on SWIFT users, malware hiding fraudulent
transactions• Lightweight backdoor Trojan• Makes use of common hacking and legitimate software tools like
mimikatz, PSExec, Netscan, Powershell, Runas• Malware designed to compromise specific computers. Requires a
lot of manual intervention• Linked to Carbanak through shared infrastructure, 3 C+C IP
addresses, backdoor Batel
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 61
Imagine Dragonz
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 62
But what if I told you there was a fire-breathing dragon
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 63
Breach the Moat
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 64
How the Mighty Fall
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 65
Bigendian POC
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 66
Hospital ransomware + JBOSS
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 67
What Would You Do Better?
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 68
The Moral of the Story• Trust No One/Trust but Verify• Go looking for the big bad wolf before you get eaten• For God’s sake do the basics right• Don’t Assume Anything. It makes an ass out of U and Me
05/01/2023 "How to Rob a Bank" by @3ncr1pt3d 69
Thank You!!• @bigendiansmalls• @mainframed767• SecTor• DefensiveSec, Brakeing Down Security and Risky Bus Podcasts• Numerous members of the InfoSec community